Healthcare News & Insights

Lab shared patient info on peer-to-peer network, FTC says

There are a lot of ways healthcare organizations can expose sensitive patient data. Many of them involve employee mistakes and lax enforcement of IT policies. 

115029066The Federal Trade Commission (FTC) recently filed a complaint against medical testing facility LabMD, alleging that the company failed to take steps to keep medical information secure.

Part of the accusations involve a 2008 data breach in which sensitive medical and insurance information about 9,000 patients might have been compromised.

The breach was first discovered when a security consulting firm found a spreadsheet created by the company on a public peer-to-peer file sharing network. The document contained patient names, Social Security numbers, health insurance providers and policy numbers, and medical treatment codes, among other things.

Peer-to-peer software is often used to download and share music, movies and other media. Typically, once users install a file sharing client, they can choose which folders on their computer they want to be available for other users to download. However, the computer’s entire hard drive is often selected by default and many users may neglect to change it.

That creates a big risk for organizations if employees install file-sharing software on their work computers.

Keys to protect data

While LabMD is fighting the FTC charges, there doesn’t seem to be any doubt that the spreadsheet was made available for download by other users of the file sharing network. And unfortunately, this hasn’t been the only incident of its kind.

In 2010, researchers at Dartmouth College conducted a study to see how difficult it is to pull sensitive health care info from those P2P networks.

The answer: not very difficult at all.

The researchers scoured those networks and downloaded more than 3,000 files containing insurance details, diagnosis information and personal info that can be used for medical identity theft. One of those files alone contained sensitive information about more than 28,000 patients.

To keep data safe, experts recommend hospitals and other organizations:

  • have a written policy banning peer-to-peer filesharing on computers that hold sensitive information
  • monitor the network to detect unauthorized programs, and
  • use firewalls to block peer-to-peer network traffic.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.